Rule-Based Network-Threat Detection for Encrypted Communications

ABSTRACT

A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

CROSS-REFERENCE TO RELATED APPLICATION(S)

The present application is a continuation of U.S. patent applicationSer. No. 15/877,608, filed Jan. 23, 2018, which is a continuation ofco-pending U.S. patent application Ser. No. 14/757,638, filed Dec. 23,2015, the contents of which are hereby incorporated by reference in itsentirety.

BACKGROUND

Network security is becoming increasingly important as the informationage continues to unfold. Network threats may take a variety of forms(e.g., unauthorized requests or data transfers, viruses, malware, largevolumes of traffic designed to overwhelm resources, and the like).Network-threat services provide information associated with networkthreats, for example, reports that include listings of network-threatindicators (e.g., network addresses, domain names, uniform resourceidentifiers (URIs), and the like). Such information may be utilized toidentify network threats. Encrypted communications, however, mayobfuscate data corresponding to network threats. Accordingly, there is aneed for rule-based network-threat detection for encryptedcommunications.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. It is intended neitherto identify key or critical elements of the disclosure nor to delineatethe scope of the disclosure. The following summary merely presents someconcepts of the disclosure in a simplified form as a prelude to thedescription below.

Aspects of this disclosure relate to rule-based network-threat detectionfor encrypted communications. In accordance with embodiments of thedisclosure, a packet-filtering system configured to filter packets inaccordance with packet-filtering rules may receive data indicatingnetwork-threat indicators and may configure the packet-filtering rulesto cause the packet-filtering system to identify packets comprisingunencrypted data, and packets comprising encrypted data. A portion ofthe unencrypted data may correspond to one or more of the network-threatindicators, and the packet-filtering rules may be configured to causethe packet-filtering system to determine, based on the portion of theunencrypted data, that the packets comprising encrypted data correspondto the one or more network-threat indicators.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is pointed out with particularity in the appendedclaims.

Features of the disclosure will become more apparent upon a review ofthis disclosure in its entirety, including the drawing figures providedherewith.

Some features herein are illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings, in whichlike reference numerals refer to similar elements, and wherein:

FIG. 1 depicts an illustrative environment for rule-based network-threatdetection for encrypted communications in accordance with one or moreaspects of the disclosure;

FIG. 2 depicts an illustrative packet-filtering system for rule-basednetwork-threat detection for encrypted communications in accordance withone or more aspects of the disclosure;

FIGS. 3A-C, 4A-C, 5A-B, and 6A-B depict illustrative event sequences forrule-based network-threat detection for encrypted communications inaccordance with one or more aspects of the disclosure; and

FIG. 7 depicts an illustrative method for rule-based network-threatdetection for encrypted communications in accordance with one or moreaspects of the disclosure.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the disclosure.

Various connections between elements are discussed in the followingdescription.

These connections are general and, unless specified otherwise, may bedirect or indirect, wired or wireless. In this respect, thespecification is not intended to be limiting.

FIG. 1 depicts an illustrative environment for rule-based network-threatdetection for encrypted communications in accordance with one or moreaspects of the disclosure. Referring to FIG. 1, environment 100 mayinclude networks 102 and 104. Network 102 may comprise one or morenetworks (e.g., Local Area Networks (LANs), Wide Area Networks (WANs),Virtual Private Networks (VPNs), or combinations thereof) associatedwith one or more individuals or entities (e.g., governments,corporations, service providers, or other organizations). Network 104may comprise one or more networks (e.g., LANs, WANs, VPNs, orcombinations thereof) that interface network 102 with one or more othernetworks (not illustrated). For example, network 104 may comprise theInternet, a similar network, or portions thereof.

Environment 100 may also include one or more hosts, such as computing ornetwork devices (e.g., servers, desktop computers, laptop computers,tablet computers, mobile devices, smartphones, routers, gateways,firewalls, switches, access points, or the like). For example, network102 may include hosts 106, 108, and 110, proxy devices 112, 114, and116, web proxy 118, rule gates 120, 122, 124, 126, and 128, domain namesystem (DNS) 130, Internet content adaptation protocol (ICAP) server132, and gateway 134. As used herein, “host” (or “hosts”) refers to anytype of network device (or node) or computing device; while such devicesmay be assigned (or configured to be assigned) one or more network-layeraddresses, the term “host” (or “hosts”) does not imply such devicesnecessarily are assigned (or configured to be assigned) one or morenetwork-layer addresses.

Gateway 134 may be located at border 136 between networks 102 and 104and may interface network 102 or one or more hosts located therein withnetwork 104 or one or more hosts located therein. For example, network104 may include one or more rule providers 138, one or morethreat-intelligence providers 140, and hosts 142, 144, and 146, andgateway 134 may interface hosts 106, 108, and 110, proxy devices 112,114, and 116, web proxy 118, rule gates 120, 122, 124, 126, and 128, DNS130, and ICAP server 132 with rule providers 138, threat-intelligenceproviders 140, and hosts 142, 144, and 146.

FIG. 2 depicts an illustrative packet-filtering system for rule-basednetwork-threat detection for encrypted communications in accordance withone or more aspects of the disclosure. Referring to FIG. 2,packet-filtering system 200 may be associated with network 102 and mayinclude one or more of rule gates 120, 122, 124, 126, and 128.Packet-filtering system 200 may comprise one or more processors 202,memory 204, one or more communication interfaces 206, and data bus 208.Data bus 208 may interface processors 202, memory 204, and communicationinterfaces 206. Memory 204 may comprise one or more program modules 210,rules 212, and logs 214. Program modules 210 may comprise instructionsthat when executed by processors 202 cause packet-filtering system 200to perform one or more of the functions described herein. Rules 212 maycomprise one or more packet-filtering rules in accordance with whichpacket-filtering system 200 is configured to filter packets received viacommunication interfaces 206. Logs 214 may include one or more entriesgenerated by processors 202 in accordance with rules 212 for packetsreceived by packet-filtering system 200 via communication interfaces206.

Communication interfaces 206 may interface packet-filtering system 200with one or more communication links of environment 100 (e.g., ofnetworks 102 and 104). In some embodiments, one or more of communicationinterfaces 206 may interface directly with a communication link ofenvironment 100. For example, interfaces 216 and 224 may interfacedirectly with links 236 and 244, respectively. In some embodiments, oneor more of communication interfaces 206 may interface indirectly with acommunication link of environment 100. For example, interface 220 mayinterface with links 236 and 244 via one or more network devices 240.Network devices 240 may provide interface 220 with access to (or copiesof) packets traversing one or more of links 236 and 244, for example,via a switched port analyzer (SPAN) port of network devices 240.Additionally or alternatively, interfaces 218 and 222 may interface withlinks 236 and 244 via tap devices 238 and 242. For example,packet-filtering system 200 may provision tap device 238 with one ormore of rules 212 configured to cause tap device 238 to identify packetstraversing link 236 that correspond to specified criteria and route (orforward) the packets (or copies thereof) to interface 218, andpacket-filtering system 200 may provision tap device 242 with one ormore of rules 212 configured to cause tap device 242 to identify packetstraversing link 244 that correspond to specified criteria and route (orforward) the packets (or copies thereof) to interface 222. Similarly,interfaces 226 and 234 may interface directly with links 246 and 254,respectively; network devices 250 may provide interface 230 with accessto (or copies of) packets traversing one or more of links 246 and 254;packet-filtering system 200 may provision tap device 248 with one ormore of rules 212 configured to cause tap device 248 to identify packetstraversing link 246 that correspond to specified criteria and route (orforward) the packets (or copies thereof) to interface 228; andpacket-filtering system 200 may provision tap device 252 with one ormore of rules 212 configured to cause tap device 252 to identify packetstraversing link 254 that correspond to specified criteria and route (orforward) the packets (or copies thereof) to interface 232. In someembodiments, packet-filtering system 200 may comprise one or more of tapdevices 238, 242, 248, and 252 or network devices 240 and 250.

FIGS. 3A-C, 4A-C, 5A-B, and 6A-B depict illustrative event sequences forrule-based network-threat detection for encrypted communications inaccordance with one or more aspects of the disclosure. The depictedsteps are merely illustrative and may be omitted, combined, or performedin an order other than that depicted; the numbering of the steps ismerely for ease of reference and does not imply any particular orderingis necessary or preferred.

Referring to FIG. 3A, at step #1, threat-intelligence providers 140 maycommunicate one or more threat-intelligence reports to rule providers138. The threat-intelligence reports may include one or morenetwork-threat indicators, for example, domain names (e.g., fullyqualified domain names (FQDNs)), URIs, network addresses, or the like.At step #2, rule providers 138 may utilize the threat-intelligencereports to generate one or more packet-filtering rules configured toidentify packets comprising data corresponding to the network-threatindicators. At step #3, rule providers 138 may communicate thepacket-filtering rules to rule gate 120. As indicated by thecrosshatched boxes over the lines extending downward from network 104,rule gate 128, and gateway 134, the packet-filtering rules may traversenetwork 104, rule gate 128, and gateway 134. For example, network 104and gateway 134 may interface rule providers 138 and rule gate 120, andrule gate 128 may interface a communication link interfacing network 104and gateway 134. Rule gate 120 may receive the packet-filtering rulesgenerated by rule providers 138 and, at step #4, may utilize thereceived packet-filtering rules to configure rules 212 to causepacket-filtering system 200 to identify packets comprising datacorresponding to at least one of the plurality of network-threatindicators.

At step #5, host 106 may generate a request. For example, host 106 mayexecute a web browser, and the web browser may generate a request inresponse to user input (e.g., navigation of the web browser to a URI).The request may comprise a domain name, and host 106 may generate a DNSquery comprising the domain name and, at step #6, may communicate theDNS query toward DNS 130. Rule gate 126 may interface a communicationlink interfacing host 106 and DNS 130, the domain name included in therequest may correspond to one or more of the network-threat indicators,and rules 212 may be configured to cause rule gate 126 to one or more ofidentify one or more packets comprising the DNS query, determine thatthe packets comprise the domain name corresponding to the network-threatindicators, and responsive to one or more of identifying the packets ordetermining that the packets comprise the domain name corresponding tothe network-threat indicators, one or more of log (as indicated by thediamond-patterned box over the line extending downward from rule gate126) or drop the packets. Rule gate 126 may generate log data (e.g., oneor more entries in logs 214) for the packets. For example, the packetsmay comprise a network address of host 106 (e.g., as a source address intheir network-layer headers), and rule gate 126 may generate log dataindicating the network address of host 106. As depicted by step #6A, thepackets may be communicated to DNS 130. In some embodiments, rules 212may be configured to cause rule gate 126 to, responsive to one or moreof identifying the packets or determining that the packets comprise thedomain name corresponding to the network-threat indicators, drop thepackets, preventing them from reaching DNS 130, as depicted by step #6B.

DNS 130 may generate a reply to the DNS query and, at step #7, maycommunicate the reply toward host 106. The reply may comprise the domainname corresponding to the network-threat indicators, and rules 212 maybe configured to cause rule gate 126 to one or more of identify one ormore packets comprising the reply, determine that the packets comprisethe domain name corresponding to the network-threat indicators, andresponsive to one or more of identifying the packets or determining thatthe packets comprise the domain name corresponding to the network-threatindicators, one or more of log or drop the packets. Rule gate 126 maygenerate log data (e.g., one or more entries in logs 214) for thepackets. For example, the packets may comprise the network address ofhost 106 (e.g., as a destination address in their network-layerheaders), and rule gate 126 may generate log data indicating the networkaddress of host 106. Similarly, the domain name may correspond to host142, the packets may comprise a network address of host 142 (e.g., DNS130 may have resolved the domain name included in the query to thenetwork address of host 142.), and rule gate 126 may generate log dataindicating the network address of host 142. As depicted by step #7A, thepackets may be communicated to host 106. In some embodiments, rules 212may be configured to cause rule gate 126 to, responsive to determiningthat the packets comprise the domain name corresponding to thenetwork-threat indicators, drop the packets, preventing them fromreaching host 106, as depicted by step #7B.

Packet-filtering system 200 may be configured to correlate packetsidentified by packet-filtering system 200 (e.g., the packets comprisingthe reply to the DNS query) with packets previously identified bypacket-filtering system 200 (e.g., the packets comprising the DNSquery). For example, packet-filtering system 200 may be configured todetermine that packets identified by packet-filtering system 200 (e.g.,the packets comprising the reply to the DNS query) are one or more ofassociated with, related to, or the product of packets previouslyidentified by packet-filtering system 200 (e.g., the packets comprisingthe DNS query). Packet-filtering system 200 may be configured tocorrelate packets identified by packet-filtering system 200 with packetspreviously identified by packet-filtering system 200 based on datastored in logs 214 (e.g., the log data generated by rule gate 126 insteps #6 and #7).

For example, for one or more packets logged by packet-filtering system200 (e.g., the packets comprising the DNS query or the packetscomprising the reply to the DNS query), logs 214 may comprise one ormore entries indicating one or more of network-layer information (e.g.,information derived from one or more network-layer header fields of thepackets, such as a protocol type, a destination network address, asource network address, a signature or authentication information (e.g.,information from an Internet protocol security (IPsec) encapsulatingsecurity payload (ESP)), or the like), transport-layer information(e.g., a destination port, a source port, a checksum or similar data(e.g., error detection or correction values, such as those utilized bythe transmission control protocol (TCP) or the user datagram protocol(UDP)),or the like), application-layer information (e.g., informationderived from one or more application-layer header fields of the packets,such as a domain name, a uniform resource locator (URL), a uniformresource identifier (URI), an extension, a method, state information,media-type information, a signature, a key, a timestamp, an applicationidentifier, a session identifier, a flow identifier, sequenceinformation, authentication information, or the like), other data in thepackets (e.g., payload data), or one or more environmental variables(e.g., information associated with but not solely derived from thepackets themselves, such as one or more arrival (or receipt) ordeparture (or transmission) times of the packets (e.g., at or from oneor more of rule gates 120, 122, 124, 126, or 128, tap devices 238, 242,248, or 252, or network devices 240 or 250), one or more ingress oregress identifiers (e.g., associated with one or more physical orlogical network interfaces, ports, or communication-media types of oneor more of rule gates 120, 122, 124, 126, or 128, tap devices 238, 242,248, or 252, or network devices 240 or 250 via which the packets wereone or more of received or transmitted), one or more device identifiers(e.g., associated with one or more of rule gates 120, 122, 124, 126, or128, tap devices 238, 242, 248, or 252, or network devices 240 or 250via which the packets were one or more of received or transmitted), orthe like), and packet-filtering system 200 may utilize such entries tocorrelate one or more packets identified by packet-filtering system 200with one or more packets previously identified by packet-filteringsystem 200.

In some embodiments, packet-filtering system 200 may implement one ormore aspects of the technology described in U.S. patent application Ser.No. 14/618,967, filed Feb. 10, 2015, and entitled “CORRELATING PACKETSIN COMMUNICATIONS NETWORKS,” the disclosure of which is incorporated byreference herein in its entirety and made part hereof, or similartechnology (e.g., to correlate one or more packets identified bypacket-filtering system 200 with one or more packets previouslyidentified by packet-filtering system 200).

Host 106 may generate one or more packets destined for host 142comprising data (e.g., a TCP: SYN handshake message) configured toestablish a connection (e.g., a TCP connection or tunnel) between hosts106 and 142 and, at step #8, may communicate the packets toward host142. Rule gate 120 may interface a communication link interfacing hosts106 and 142, and rules 212 may be configured to cause rule gate 120 toone or more of identify the packets or determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more of the packetscomprising the DNS query or the reply to the DNS query based on datastored in logs 214 (e.g., the log data generated by rule gate 126 in oneor more of steps #6 or #7).

At step #9, rule gate 120 may route the packets comprising the dataconfigured to establish the connection between hosts 106 and 142 toproxy device 112 and, at step #10, may communicate the packets to proxydevice 112. For example, rules 212 may be configured to cause rule gate120 to route the packets to proxy device 112 based on data in thepackets, for example, one or more ports (e.g., port 443) indicated bytransport-layer headers in the packets, indicating the connectionbetween hosts 106 and 142 will be utilized to establish an encryptedcommunication session or tunnel (e.g., a session established inaccordance with the transport layer security (TLS) protocol, securesockets layer (SSL) protocol, secure shell (SSH) protocol, or the like).In some embodiments, rules 212 may be configured to cause rule gate 120to route the packets to proxy device 112 based on a determination thatone or more of hosts 106 or 142 is associated with a network address forwhich rules 212 indicate encrypted communications should be establishedvia one or more of proxy devices 112, 114, or 116. For example, proxydevices 112, 114, and 116 may be part of a proxy system (e.g., a SSL/TLSproxy system) that enables packet-filtering system 200 to filter packetscomprising encrypted data based on information within the encrypteddata, and rules 212 may be configured to cause rule gate 120 to routethe packets to proxy device 112 based on a determination that host 142is associated with a network address of a domain corresponding to thenetwork-threat indicators.

Additionally or alternatively, network 102 may include one or more hostsfor which rules 212 indicate connections utilized to establish encryptedcommunication sessions (e.g., connections with hosts corresponding tonetwork-threat indicators) should be established via one or more ofproxy devices 112, 114, or 116, as well as one or more hosts for whichrules 212 indicate connections utilized to establish encryptedcommunication sessions should not be established via one or more ofproxy devices 112, 114, and 116, for example, hosts that generatesensitive data (e.g., personally identifiable information (PIO),inspection of which may present privacy or regulatory concerns (e.g.,data subject to the health insurance portability and accountability act(HIPAA), or the like), and rules 212 may be configured to cause rulegate 120 to route the packets to proxy device 112 based on adetermination that host 106 is associated with a network address forwhich rules 212 indicate encrypted communications should be establishedvia one or more of proxy devices 112, 114, or 116.

For example, link 236 may interface host 106 with rule gate 120, link244 may interface rule gate 120 with host 142, link 246 may interfacerule gate 120 with proxy device 112, link 254 may interface proxydevices 112 and 114 and may comprise a communication link internal to aproxy system comprising proxy devices 112 and 114, and rules 212 may beconfigured to cause rule gate 120 to route (or redirect) packetsreceived from host 106 via one or more of interfaces 216, 218, or 220and destined for host 142 (or a portion thereof (e.g., packetscomprising data configured to establish a connection between hosts 106and 142 and indicating the connection will be utilized to establish anencrypted communication session)) to host 142 via interface 226.Additionally or alternatively, rules 212 may be configured to cause rulegate 120 to forward copies of (or mirror) packets received from host 106via one or more of interfaces 216, 218, 220, or 222 and destined forhost 142 (or a portion thereof (e.g., packets comprising data configuredto establish a connection between hosts 106 and 142 and indicating theconnection will be utilized to establish an encrypted communicationsession)) to proxy device 112 via interface 226.

At step #11, proxy devices 112 and 114 may exchange one or moreparameters determined from the packets comprising the data configured toestablish the connection between hosts 106 and 142, for example, one ormore network addresses in network-layer headers of the packets (e.g.,network addresses of hosts 106 and 142) or ports indicated bytransport-layer headers in the packets (e.g., indicating the type ofencrypted communication session the connection will be utilized toestablish). Proxy device 112 may utilize the parameters to generatepackets comprising data configured to establish a connection betweenproxy device 112 and host 106 (e.g., a TCP: SYN-ACK handshake message)and, at step #12, may communicate the packets to host 106. Rules 212 maybe configured to cause rule gate 120 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more of the packets comprising theDNS query or the reply to the DNS query based on data stored in logs 214(e.g., the log data generated by rule gate 126 in one or more of steps#6 or #7), and one or more of log or drop the packets.

Similarly, proxy device 114 may utilize the parameters to generatepackets comprising data configured to establish a connection betweenproxy device 114 and host 142 (e.g., a TCP: SYN handshake message) and,at step #13, may communicate the packets to host 142. Rule gate 128 mayinterface a communication link interfacing proxy device 114 and host142, and rules 212 may be configured to cause rule gate 128 to one ormore of identify the packets, determine (e.g., based on one or morenetwork addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of steps #6, #7, or #12), and one or more of log or drop thepackets.

Responsive to receiving the packets from proxy device 112, host 106 maygenerate packets comprising data configured to establish the connectionbetween proxy device 112 and host 106 (e.g., a TCP: ACK handshakemessage) and, at step #14, may communicate the packets to proxy device112. Rules 212 may be configured to cause rule gate 120 to one or moreof identify the packets, determine (e.g., based on one or more networkaddresses included in their network-layer headers) that the packetscomprise data corresponding to the network-threat indicators, forexample, by correlating the packets with one or more packets previouslydetermined by packet-filtering system 200 to comprise data correspondingto the network-threat indicators based on data stored in logs 214 (e.g.,log data generated by packet-filtering system 200 in one or more ofsteps #6, #7, #12, or #13), and one or more of log or drop the packets.

Responsive to receiving the packets from proxy device 114, host 142 maygenerate packets comprising data configured to establish the connectionbetween proxy device 114 and host 142 (e.g., a TCP: SYN-ACK handshakemessage) and, at step #15, may communicate the packets to proxy device114. Rules 212 may be configured to cause rule gate 128 to one or moreof identify the packets, determine (e.g., based on one or more networkaddresses included in their network-layer headers) that the packetscomprise data corresponding to the network-threat indicators, forexample, by correlating the packets with one or more packets previouslydetermined by packet-filtering system 200 to comprise data correspondingto the network-threat indicators based on data stored in logs 214 (e.g.,log data generated by packet-filtering system 200 in one or more of step#s 6, 7, or 12-14), and one or more of log or drop the packets.

Responsive to receiving the packets from host 142, proxy device 114 maygenerate packets comprising data configured to establish the connectionbetween proxy device 114 and host 142 (e.g., a TCP: ACK handshakemessage) and, at step #16, may communicate the packets to host 142.Rules 212 may be configured to cause rule gate 128 to one or more ofidentify the packets, determine (e.g., based on one or more networkaddresses included in their network-layer headers) that the packetscomprise data corresponding to the network-threat indicators, forexample, by correlating the packets with one or more packets previouslydetermined by packet-filtering system 200 to comprise data correspondingto the network-threat indicators based on data stored in logs 214 (e.g.,log data generated by packet-filtering system 200 in one or more of step#s 6, 7, or 12-15), and one or more of log or drop the packets.

Referring to FIG. 3B, proxy device 112 may receive the packetscomprising data configured to establish the connection between proxydevice 112 and host 106 communicated by host 106 in step #14, andconnection 302 (e.g., a TCP connection) between proxy device 112 andhost 106 may be established. Similarly, host 142 may receive the packetscomprising data configured to establish the connection between proxydevice 114 and host 142 communicated by proxy device 114 in step #16,and connection 304 (e.g., a TCP connection) between proxy device 114 andhost 142 may be established.

At step #17, proxy device 112 and host 106 may communicate packetscomprising data configured to establish encrypted communication session306 (e.g., a SSL/TLS session) between proxy device 112 and host 106 viaconnection 302. Rules 212 may be configured to cause rule gate 120 toone or more of identify the packets, determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6, 7, or 12-16), and one or more of log or drop thepackets. Additionally or alternatively, rules 212 may be configured tocause rule gate 120 to one or more of identify the packets or determinethat the packets comprise data corresponding to the network-threatindicators based on data included in the packets. For example, in someembodiments, host 106 may comprise a client (e.g., web browser), host142 may comprise a server (e.g., web server), the packets may compriseone or more handshake messages configured to establish session 306 thatcomprise unencrypted data including a domain name corresponding to thenetwork-threat indicators, for example, a hello message generated by theclient (e.g., including the domain name in the server name indicationextension, or the like) or a certificate message generated by the server(e.g., including the domain name in one or more of the subject commonname field or the extension subjectAltName (of type dNSName), or thelike), and rules 212 may be configured to cause rule gate 120 to one ormore of identify the packets or determine that the packets comprise datacorresponding to the network-threat indicators based on data included inthe one or more handshake messages configured to establish session 306.In such embodiments, rules 212 may be configured to causepacket-filtering system 200 to one or more of identify the packets ordetermine that the packets comprise data corresponding to thenetwork-threat indicators based on the certificate message comprisingother data (e.g., in addition to or in lieu of the domain name)corresponding to one or more of the network-threat indicators, forexample, data indicating at least one of a serial number (or typethereof) indicated by rules 212, an issuer (or type thereof) indicatedby rules 212, a validity time-range (or type thereof) indicated by rules212, a key (or type thereof) indicated by rules 212, a digital signature(e.g., fingerprint) (or type thereof) indicated by rules 212, or asigning authority (or type thereof) indicated by rules 212.

Similarly, at step #18, proxy device 114 and host 142 may communicatepackets comprising data configured to establish encrypted communicationsession 308 (e.g., a SSL/TLS session) between proxy device 114 and host142 via connection 304, and rules 212 may be configured to cause rulegate 128 to one or more of identify the packets, determine (e.g., basedon one or more network addresses included in their network-layerheaders) that the packets comprise data corresponding to thenetwork-threat indicators, for example, by correlating the packets withone or more packets previously determined by packet-filtering system 200to comprise data corresponding to the network-threat indicators based ondata stored in logs 214 (e.g., log data generated by packet-filteringsystem 200 in one or more of step #s 6, 7, or 12-17) or the packetscomprising one or more handshake messages configured to establishsession 308 that comprise unencrypted data (e.g., including the domainname) corresponding to the network-threat indicators, and one or more oflog or drop the packets.

Host 106 may generate packets comprising data encrypted in accordancewith one or more parameters of session 306 and, at step #19, maycommunicate the packets to proxy device 112 via session 306. Rules 212may be configured to cause rule gate 120 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-18), and one or more of log (as indicated by the trianglesover the line extending downward from rule gate 120) or drop thepackets.

Proxy device 112 may receive the packets and decrypt the data inaccordance with the parameters of session 306. The packets may comprisea request (e.g., a hypertext transfer protocol (HTTP) request), andproxy device 112 may comprise an ICAP client, which, at step #20, maycommunicate the packets to ICAP server 132. Rule gate 126 may interfacea communication link interfacing proxy device 112 and ICAP server 132,and rules 212 may be configured to cause rule gate 126 to one or more ofidentify the packets, determine (e.g., based on one or more networkaddresses included in their network-layer headers) that the packetscomprise data corresponding to the network-threat indicators, forexample, by correlating the packets with one or more packets previouslydetermined by packet-filtering system 200 to comprise data correspondingto the network-threat indicators based on data stored in logs 214 (e.g.,log data generated by packet-filtering system 200 in one or more of step#s 6, 7, or 12-19), and one or more of log or drop the packets.

ICAP server 132 may generate packets comprising data responsive to therequest (e.g., a response, modified request, or the like) and, at step#21, may communicate the packets to proxy device 112. Rules 212 may beconfigured to cause rule gate 126 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-20), and one or more of log or drop the packets.Additionally or alternatively, rules 212 may be configured to cause rulegate 126 to one or more of identify the packets or determine that thepackets comprise data corresponding to the network-threat indicatorsbased on data included in the packets, for example, the data responsiveto the request (e.g., a modified request) may comprise data (e.g., adomain name, URI, or the like) corresponding to the network-threatindicators.

Proxy device 112 may generate packets (e.g., based on the data generatedby ICAP server 132) and, at step #22, may communicate the packets toproxy device 114. Rule gate 124 may interface a communication linkinternal to the proxy system comprising proxy devices 112 and 114, andthus packets traversing the communication link may comprise unencrypteddata (e.g., rule gate 124 may be “the man in the middle” of proxydevices 112 and 114), and rules 212 may be configured to cause rule gate124 to one or more of identify the packets, determine (e.g., based onone or more network addresses included in their network-layer headers)that the packets comprise data corresponding to the network-threatindicators, for example, by correlating the packets with one or morepackets previously determined by packet-filtering system 200 to comprisedata corresponding to the network-threat indicators based on data storedin logs 214 (e.g., log data generated by packet-filtering system 200 inone or more of step #s 6, 7, or 12-21), and one or more of log or dropthe packets.

Additionally or alternatively, rules 212 may be configured to cause rulegate 124 to one or more of identify the packets or determine that thepackets comprise data corresponding to the network-threat indicatorsbased on data included in the packets, for example, unencrypted data inthe packets corresponding to one or more of the network-threatindicators. For example, in some embodiments, packet-filtering system200 may implement one or more aspects of the technology described inU.S. patent application Ser. No. 13/795,822, filed Mar. 12, 2013, andentitled “FILTERING NETWORK DATA TRANSFERS,” the disclosure of which isincorporated by reference herein in its entirety and made part hereof,or similar technology, and rules 212 may be configured to cause rulegate 124 to one or more of identify the packets or determine that thepackets comprise data corresponding to the network-threat indicatorsbased on the packets comprising one or more of a URI specified by rules212, data indicating a protocol version specified by rules 212, dataindicating a method specified by rules 212, data indicating a requestspecified by rules 212, or data indicating a command specified by rules212. Additionally or alternatively, rules 212 may be configured to causerule gate 124 to one or more of identify the packets or determine thatthe packets comprise data corresponding to the one or morenetwork-threat indicators based on unencrypted data in the packetscomprising a URI meeting or exceeding a threshold size specified byrules 212 (e.g., a URI likely being utilized to exfiltrate data).

Proxy device 114 may receive the packets and generate one or morecorresponding packets comprising data encrypted in accordance with oneor more parameters of session 308 and, at step #23, may communicate thepackets to host 142. Rules 212 may be configured to cause rule gate 128to one or more of identify the packets, determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6, 7, or 12-22), and one or more of log or drop thepackets.

Host 142 may generate one or more packets comprising data encrypted inaccordance with one or more parameters of session 308 and, at step #24,may communicate the packets to proxy device 114. Rules 212 may beconfigured to cause rule gate 128 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-23), and one or more of log or drop the packets.

Proxy device 114 may receive the packets and generate one or morecorresponding packets comprising unencrypted data and, at step #25, maycommunicate the packets to proxy device 112. Rules 212 may be configuredto cause rule gate 124 to one or more of identify the packets, determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more packets previously determined by packet-filteringsystem 200 to comprise data corresponding to the network-threatindicators based on data stored in logs 214 (e.g., log data generated bypacket-filtering system 200 in one or more of step #s 6, 7, or 12-24),and one or more of log or drop the packets.

Proxy device 112 may receive the packets and generate one or morecorresponding packets comprising data encrypted in accordance with oneor more parameters of session 306 and, at step #26, may communicate thepackets to host 106. Rules 212 may be configured to cause rule gate 120to one or more of identify the packets, determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6, 7, or 12-25), and one or more of log or drop thepackets.

Host 106 may generate one or more packets comprising data encrypted inaccordance with one or more parameters of session 306 and, at step #27,may communicate the packets toward proxy device 112. Rules 212 may beconfigured to cause rule gate 120 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-26), and one or more of log or drop the packets.

Proxy device 112 may receive one or more of the packets and generate oneor more corresponding packets comprising unencrypted data and, at step#28, may communicate the packets toward proxy device 114. Rules 212 maybe configured to cause rule gate 124 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-27), and one or more of log or drop the packets.

Proxy device 114 may receive one or more of the packets and generate oneor more corresponding packets comprising data encrypted in accordancewith one or more parameters of session 308 and, at step #29, maycommunicate the packets toward host 142. Rules 212 may be configured tocause rule gate 128 to one or more of identify the packets, determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more packets previously determined by packet-filteringsystem 200 to comprise data corresponding to the network-threatindicators based on data stored in logs 214 (e.g., log data generated bypacket-filtering system 200 in one or more of step #s 6, 7, or 12-28),and one or more of log or drop the packets.

Host 142 may generate one or more packets comprising data encrypted inaccordance with one or more parameters of session 308 and, at step #30,may communicate the packets toward proxy device 114. Rules 212 may beconfigured to cause rule gate 128 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-29), and one or more of log or drop the packets.

Proxy device 114 may receive one or more of the packets and generate oneor more corresponding packets comprising unencrypted data and, at step#31, may communicate the packets toward proxy device 112. Rules 212 maybe configured to cause rule gate 124 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, or 12-30), and one or more of log or drop the packets.

Proxy device 112 may receive one or more of the packets and generate oneor more corresponding packets comprising data encrypted in accordancewith one or more parameters of session 306 and, at step #32, maycommunicate the packets toward host 106. Rules 212 may be configured tocause rule gate 120 to one or more of identify the packets, determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more packets previously determined by packet-filteringsystem 200 to comprise data corresponding to the network-threatindicators based on data stored in logs 214 (e.g., log data generated bypacket-filtering system 200 in one or more of step #s 6, 7, or 12-31),and one or more of log or drop the packets.

Referring to FIG. 3C, at step #33, rule gate 120 may one or more ofupdate a console (or interface) associated with packet-filtering system200 running on host 108 or receive one or more updates to rules 212 viathe console. For example, the console may provide data regarding one ormore threats to network 102 corresponding to the network-threatindicators, and rule gate 120 may update the console based on datastored in logs 214 (e.g., log data generated by packet-filtering system200 in one or more of step #s 6, 7, or 12-32). In some embodiments, theconsole may provide data identifying network threats associated with oneor more of hosts 106, 108, 110, 142, 144, or 146, and rule gate 120 mayupdate data associated with one or more of hosts 106 or 142 based ondata stored in logs 214 (e.g., log data generated by packet-filteringsystem 200 in one or more of step #s 6, 7, or 12-32).

At step #34, rule gate 120 may reconfigure rules 212 based on one ormore of updates received via the console or data stored in logs 214(e.g., log data generated by packet-filtering system 200 in one or moreof step #s 6, 7, or 12-32). For example, packet-filtering system 200 mayimplement one or more aspects of the technology described in U.S. patentapplication Ser. No. 14/690,302, filed Apr. 17, 2015, and entitled“RULE-BASED NETWORK-THREAT DETECTION,” the disclosure of which isincorporated by reference herein in its entirety and made part hereof,or similar technology, and rule gate 120 may reconfigure rules 212 basedon one or more risk scores updated to reflect data stored in logs 214(e.g., log data generated by packet-filtering system 200 in one or moreof step #s 6, 7, or 12-32).

Host 106 may generate one or more packets comprising data encrypted inaccordance with one or more parameters of session 306 and, at step #35,may communicate the packets toward proxy device 112. Rules 212 (e.g.,one or more of rules 212 reconfigured in step #34) may be configured tocause rule gate 120 to one or more of identify the packets, determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more packets previously determined by packet-filteringsystem 200 to comprise data corresponding to the network-threatindicators based on data stored in logs 214 (e.g., log data generated bypacket-filtering system 200 in one or more of step #s 6, 7, or 12-32),and one or more of log or drop the packets.

Proxy device 112 may receive one or more of the packets and generate oneor more corresponding packets comprising unencrypted data and, at step#36, may communicate the packets toward proxy device 114. Rules 212(e.g., one or more of rules 212 reconfigured in step #34) may beconfigured to cause rule gate 124 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, 12-32, or 35), and one or more of log or drop the packets.

Proxy device 114 may receive one or more of the packets and generate oneor more corresponding packets comprising data encrypted in accordancewith one or more parameters of session 308 and, at step #37, maycommunicate the packets toward host 142. Rules 212 (e.g., one or more ofrules 212 reconfigured in step #34) may be configured to cause rule gate128 to one or more of identify the packets, determine (e.g., based onone or more network addresses included in their network-layer headers)that the packets comprise data corresponding to the network-threatindicators, for example, by correlating the packets with one or morepackets previously determined by packet-filtering system 200 to comprisedata corresponding to the network-threat indicators based on data storedin logs 214 (e.g., log data generated by packet-filtering system 200 inone or more of step #s 6, 7, 12-32, 35, or 36), and one or more of logor drop the packets.

Host 142 may generate one or more packets comprising data encrypted inaccordance with one or more parameters of session 308 and, at step #38,may communicate the packets toward proxy device 114. Rules 212 (e.g.,one or more of rules 212 reconfigured in step #34) may be configured tocause rule gate 128 to one or more of identify the packets, determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more packets previously determined by packet-filteringsystem 200 to comprise data corresponding to the network-threatindicators based on data stored in logs 214 (e.g., log data generated bypacket-filtering system 200 in one or more of step #s 6, 7, 12-32, or35-37), and one or more of log or drop the packets.

Proxy device 114 may receive one or more of the packets and generate oneor more corresponding packets comprising unencrypted data and, at step#39, may communicate the packets toward proxy device 112. Rules 212(e.g., one or more of rules 212 reconfigured in step #34) may beconfigured to cause rule gate 124 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6, 7, 12-32, or 35-38), and one or more of log or drop the packets.

Proxy device 112 may receive one or more of the packets and generate oneor more corresponding packets comprising data encrypted in accordancewith one or more parameters of session 306 and, at step #40, maycommunicate the packets toward host 106. Rules 212 (e.g., one or more ofrules 212 reconfigured in step #34) may be configured to cause rule gate120 to one or more of identify the packets, determine (e.g., based onone or more network addresses included in their network-layer headers)that the packets comprise data corresponding to the network-threatindicators, for example, by correlating the packets with one or morepackets previously determined by packet-filtering system 200 to comprisedata corresponding to the network-threat indicators based on data storedin logs 214 (e.g., log data generated by packet-filtering system 200 inone or more of step #s 6, 7, 12-32, or 35-39), and one or more of log ordrop the packets.

Host 142 may generate one or more packets destined for one or more ofhosts 106, 108, or 110 and, at step #41, may communicate the packetstoward gateway 134. Rules 212 (e.g., one or more of rules 212reconfigured in step #34) may be configured to cause rule gate 128 toone or more of identify the packets, determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6, 7, 12-32, or 35-40), and one or more of log ordrop the packets.

Host 108 may generate one or more packets and, at step #42, maycommunicate the packets to host 142. Rules 212 (e.g., one or more ofrules 212 reconfigured in step #34) may be configured to cause rulegates 120 and 128 to one or more of identify the packets, determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more packets previously determined by packet-filteringsystem 200 to comprise data corresponding to the network-threatindicators based on data stored in logs 214 (e.g., log data generated bypacket-filtering system 200 in one or more of step #s 6, 7, 12-32, or35-41), and one or more of log or drop the packets.

Host 106 may generate one or more packets destined for hosts 108, 142,144, and 146 and, at step #43, may communicate the packets toward hosts108, 142, 144, and 146. Rules 212 (e.g., one or more of rules 212reconfigured in step #34) may be configured to cause rule gate 120 toone or more of identify the packets, determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6, 7, 12-32, or 35-42), and one or more of log ordrop the packets.

Referring to FIG. 4A, step #s 1-5 substantially correspond to step #s1-5 of FIG. 3A.

Host 106 (e.g., the web browser) may be configured to utilize web proxy118 and responsive to the request, may generate packets comprising dataconfigured to establish a connection between host 106 and web proxy 118(e.g., a TCP: SYN handshake message) and, at step #6, may communicatethe packets to web proxy 118. Rule gate 120 may interface acommunication link interfacing host 106 and web proxy 118, and rules 212may be configured to cause rule gate 120 to one or more of identify thepackets, for example, based on one or more network addresses included intheir network-layer headers (e.g., a network address of web proxy 118)or one or more ports (e.g., port 80) indicated by transport-layerheaders in the packets, and one or more of log or drop the packets.

Responsive to receiving the packets from host 106, web proxy 118 maygenerate packets comprising data configured to establish the connectionbetween host 106 and web proxy 118 (e.g., a TCP: SYN-ACK handshakemessage) and, at step #7, may communicate the packets to host 106. Rules212 may be configured to cause rule gate 120 to one or more of identifythe packets, for example, based on one or more network addressesincluded in their network-layer headers (e.g., a network address of webproxy 118) or one or more ports (e.g., port 80) indicated bytransport-layer headers in the packets, and one or more of log or dropthe packets.

Responsive to receiving the packets from web proxy 118, host 106 maygenerate packets comprising data configured to establish the connectionbetween host 106 and web proxy 118 (e.g., a TCP: ACK handshake message)and, at step #8, may communicate the packets to web proxy 118. Rules 212may be configured to cause rule gate 120 to one or more of identify thepackets, for example, based on one or more network addresses included intheir network-layer headers (e.g., a network address of web proxy 118)or one or more ports (e.g., port 80) indicated by transport-layerheaders in the packets, and one or more of log or drop the packets.

Web proxy 118 may receive the packets from host 106, and connection 402(e.g., a TCP connection) between host 106 and web proxy 118 may beestablished. Host 106 may generate packets comprising a request (e.g.,an HTTP CONNECT request), and, at step #9, may communicate the packetsto web proxy 118 via connection 402. Rules 212 may be configured tocause rule gate 120 to one or more of identify the packets, for example,based on one or more network addresses included in their network-layerheaders (e.g., a network address of web proxy 118) or one or more ports(e.g., port 80) indicated by transport-layer headers in the packets,determine the packets comprise data corresponding to the network-threatindicators, for example, a domain name (e.g., FQDN) in the request, andone or more of log or drop the packets.

Web proxy 118 may generate a DNS query comprising the domain name and,at step #10, may communicate the DNS query toward DNS 130. The domainname included in the request may correspond to one or more of thenetwork-threat indicators, and rules 212 may be configured to cause rulegate 126 to one or more of identify one or more packets comprising theDNS query, determine that the packets comprise the domain namecorresponding to the network-threat indicators, and one or more of logor drop the packets. For example, the packets may comprise a networkaddress of web proxy 118 (e.g., as a source address in theirnetwork-layer headers), and rule gate 126 may generate log dataindicating the network address of web proxy 118. As depicted by step#10A, the packets may be communicated to DNS 130. In some embodiments,rules 212 may be configured to cause rule gate 126 to, responsive todetermining that the packets comprise the domain name corresponding tothe network-threat indicators, drop the packets, preventing them fromreaching DNS 130, as depicted by step #10B.

DNS 130 may generate a reply to the DNS query and, at step #11, maycommunicate the reply toward web proxy 118. The reply may comprise thedomain name corresponding to the network-threat indicators, and rules212 may be configured to cause rule gate 126 to one or more of identifyone or more packets comprising the reply, determine that the packetscomprise the domain name corresponding to the network-threat indicators,and one or more of log or drop the packets. For example, the packets maycomprise the network address of web proxy 118 (e.g., as a destinationaddress in their network-layer headers), and rule gate 126 may generatelog data indicating the network address of web proxy 118. Similarly, thedomain name may correspond to host 142, the packets may comprise anetwork address of host 142 (e.g., DNS 130 may have resolved the domainname included in the query to the network address of host 142.), andrule gate 126 may generate log data indicating the network address ofhost 142. As depicted by step #11A, the packets may be communicated toweb proxy 118. In some embodiments, rules 212 may be configured to causerule gate 126 to, responsive to determining that the packets comprisethe domain name corresponding to the network-threat indicators, drop thepackets, preventing them from reaching web proxy 118, as depicted bystep #11B.

Web proxy 118 may generate one or more packets destined for host 142comprising data (e.g., a TCP: SYN handshake message) configured toestablish a connection (e.g., a TCP connection or tunnel) between webproxy 118 and host 142 and, at step #12, may communicate the packetstoward host 142. Rule gate 122 may interface a communication linkinterfacing web proxy 118 and host 142, and rules 212 may be configuredto cause rule gate 122 to one or more of identify the packets ordetermine (e.g., based on one or more network addresses included intheir network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more of the packets comprising therequest, the DNS query, or the reply to the DNS query based on datastored in logs 214 (e.g., the log data generated by rule gates 120 and126 in one or more of step #s 6-11).

At step #13, rule gate 122 may route the packets comprising the dataconfigured to establish the connection between web proxy 118 and host142 to proxy device 112 and, at step #14, may communicate the packets toproxy device 112. For example, rules 212 may be configured to cause rulegate 122 to route the packets to proxy device 112 based on data in thepackets, for example, one or more ports (e.g., port 443) indicated bytransport-layer headers in the packets, indicating the connectionbetween web proxy 118 and host 142 will be utilized to establish anencrypted communication session or tunnel (e.g., a session establishedin accordance with the transport layer security (TLS) protocol, securesockets layer (SSL) protocol, secure shell (SSH) protocol, or the like).

Referring to FIG. 4B, at step #15, proxy devices 112 and 114 mayexchange one or more parameters determined from the packets comprisingthe data configured to establish the connection between web proxy 118and host 142, for example, one or more network addresses innetwork-layer headers of the packets (e.g., network addresses of webproxy 118 and host 142) or ports indicated by transport-layer headers inthe packets (e.g., indicating the type of encrypted communicationsession the connection will be utilized to establish). Proxy device 112may utilize the parameters to generate packets comprising dataconfigured to establish a connection between proxy device 112 and webproxy 118 (e.g., a TCP: SYN-ACK handshake message) and, at step #16, maycommunicate the packets to web proxy 118. Rules 212 may be configured tocause rule gate 122 to one or more of identify the packets or determine(e.g., based on one or more network addresses included in theirnetwork-layer headers) that the packets comprise data corresponding tothe network-threat indicators, for example, by correlating the packetswith one or more of the packets comprising the request, the DNS query,or the reply to the DNS query based on data stored in logs 214 (e.g.,the log data generated by rule gates 120 and 126 in one or more of step#s 6-11).

Similarly, proxy device 114 may utilize the parameters to generatepackets comprising data configured to establish a connection betweenproxy device 114 and host 142 (e.g., a TCP: SYN handshake message) and,at step #17, may communicate the packets to host 142. Rules 212 may beconfigured to cause rule gate 128 to one or more of identify thepackets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-11 or 16), and one or more of log or drop the packets.

Responsive to receiving the packets from proxy device 112, web proxy 118may generate packets comprising data configured to establish theconnection between proxy device 112 and web proxy 118 (e.g., a TCP: ACKhandshake message) and, at step #18, may communicate the packets toproxy device 112. Rules 212 may be configured to cause rule gate 122 toone or more of identify the packets, determine (e.g., based on one ormore network addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6-11, 16, or 17), and one or more of log or drop thepackets.

Responsive to receiving the packets from proxy device 114, host 142 maygenerate packets comprising data configured to establish the connectionbetween proxy device 114 and host 142 (e.g., a TCP: SYN-ACK handshakemessage) and, at step #19, may communicate the packets to proxy device114. Rules 212 may be configured to cause rule gate 128 to one or moreof identify the packets, determine (e.g., based on one or more networkaddresses included in their network-layer headers) that the packetscomprise data corresponding to the network-threat indicators, forexample, by correlating the packets with one or more packets previouslydetermined by packet-filtering system 200 to comprise data correspondingto the network-threat indicators based on data stored in logs 214 (e.g.,log data generated by packet-filtering system 200 in one or more of step#s 6-11 or 16-18), and one or more of log or drop the packets.

Responsive to receiving the packets from host 142, proxy device 114 maygenerate packets comprising data configured to establish the connectionbetween proxy device 114 and host 142 (e.g., a TCP: ACK handshakemessage) and, at step #20, may communicate the packets to host 142.Rules 212 may be configured to cause rule gate 128 to one or more ofidentify the packets, determine (e.g., based on one or more networkaddresses included in their network-layer headers) that the packetscomprise data corresponding to the network-threat indicators, forexample, by correlating the packets with one or more packets previouslydetermined by packet-filtering system 200 to comprise data correspondingto the network-threat indicators based on data stored in logs 214 (e.g.,log data generated by packet-filtering system 200 in one or more of step#s 6-11 or 16-19), and one or more of log or drop the packets.

Proxy device 112 may receive the packets comprising data configured toestablish the connection between proxy device 112 and web proxy 118communicated by web proxy 118 in step #18, and connection 404 (e.g., aTCP connection) between proxy device 112 and web proxy 118 may beestablished. Similarly, host 142 may receive the packets comprising dataconfigured to establish the connection between proxy device 114 and host142 communicated by proxy device 114 in step #20, and connection 406(e.g., a TCP connection) between proxy device 114 and host 142 may beestablished.

At step #21, proxy device 112 and host 106 may communicate packetscomprising data configured to establish encrypted communication session408 (e.g., a SSL/TLS session) between proxy device 112 and host 106 viaconnections 402 and 404. Rules 212 may be configured to cause one ormore of rule gates 120 or 122 to one or more of identify the packets,determine (e.g., based on one or more network addresses included intheir network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-11 or 16-20) or the packets comprising one or more handshake messagesconfigured to establish session 408 that comprise unencrypted data(e.g., including the domain name) corresponding to the network-threatindicators, and one or more of log or drop the packets.

Similarly, at step #22, proxy device 114 and host 142 may communicatepackets comprising data configured to establish encrypted communicationsession 410 (e.g., a SSL/TLS session) between proxy device 114 and host142 via connection 406, and rules 212 may be configured to cause rulegate 128 to one or more of identify the packets, determine (e.g., basedon one or more network addresses included in their network-layerheaders) that the packets comprise data corresponding to thenetwork-threat indicators, for example, by correlating the packets withone or more packets previously determined by packet-filtering system 200to comprise data corresponding to the network-threat indicators based ondata stored in logs 214 (e.g., log data generated by packet-filteringsystem 200 in one or more of step #s 6-11 or 16-21) or the packetscomprising one or more handshake messages configured to establishsession 410 that comprise unencrypted data (e.g., including the domainname) corresponding to the network-threat indicators, and one or more oflog or drop the packets.

Referring to FIGS. 4B-C, step #s 23-47 substantially correspond to step#s 19-43 of FIGS. 3B-C; however, rules 212 may be configured to causeone or more of rule gates 120 or 122 to one or more of identify, drop,or log the packets communicated in one or more of step #s 23, 30, 31,36, 39, or 44 of FIGS. 4B-C.

Referring to FIG. 5A, step #s 1-7 substantially correspond to step #s1-7 of FIG. 3A.

Host 106 may generate one or more packets destined for host 142comprising data (e.g., a TCP: SYN handshake message) configured toestablish a connection (e.g., a TCP connection or tunnel) between hosts106 and 142 and, at step #8, may communicate the packets to host 142.Rules 212 may be configured to cause one or more of rule gates 120 or128 to one or more of identify the packets or determine (e.g., based onone or more network addresses included in their network-layer headers)that the packets comprise data corresponding to the network-threatindicators, for example, by correlating the packets with one or more ofthe packets comprising the DNS query or the reply to the DNS query basedon data stored in logs 214 (e.g., the log data generated by rule gate126 in one or more of steps #6 or #7).

Responsive to receiving the packets from host 106, host 142 may generatepackets comprising data configured to establish the connection betweenhosts 106 and 142 (e.g., a TCP: SYN-ACK handshake message) and, at step#9, may communicate the packets to host 106. Rules 212 may be configuredto cause one or more of rule gates 120 or 128 to one or more of identifythe packets or determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more of the packets comprising theDNS query or the reply to the DNS query based on data stored in logs 214(e.g., the log data generated by rule gate 126 in one or more of steps#6 or #7).

Responsive to receiving the packets from host 142, host 106 may generatepackets comprising data configured to establish the connection betweenhosts 106 and 142 (e.g., a TCP: ACK handshake message) and, at step #10,may communicate the packets to host 142. Rules 212 may be configured tocause one or more of rule gates 120 or 128 to one or more of identifythe packets or determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more of the packets comprising theDNS query or the reply to the DNS query based on data stored in logs 214(e.g., the log data generated by rule gate 126 in one or more of steps#6 or #7).

Host 142 may receive the packets comprising data configured to establishthe connection between hosts 106 and 142 communicated by host 106 instep #10, and connection 502 (e.g., a TCP connection) between hosts 106and 142 may be established.

At step #11, hosts 106 and 142 may communicate packets comprising dataconfigured to establish encrypted communication session 504 (e.g., aSSL/TLS session) between hosts 106 and 142 via connection 502. Rules 212may be configured to cause one or more of rule gates 120 or 128 to oneor more of identify the packets, determine (e.g., based on one or morenetwork addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more packetspreviously determined by packet-filtering system 200 to comprise datacorresponding to the network-threat indicators based on data stored inlogs 214 (e.g., log data generated by packet-filtering system 200 in oneor more of step #s 6-10) or the packets comprising one or more handshakemessages configured to establish session 504 that comprise unencrypteddata (e.g., including the domain name) corresponding to thenetwork-threat indicators, and one or more of log or drop the packets.

Host 106 may generate packets comprising data encrypted in accordancewith one or more parameters of session 504 and, at step #12, maycommunicate the packets to host 142. Rules 212 may be configured tocause one or more of rule gates 120 or 128 to one or more of identifythe packets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-11), and one or more of log or drop the packets.

Host 142 may generate packets comprising data encrypted in accordancewith one or more parameters of session 504 and, at step #13, maycommunicate the packets to host 106. Rules 212 may be configured tocause one or more of rule gates 120 or 128 to one or more of identifythe packets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-12), and one or more of log or drop the packets.

Host 106 may generate packets comprising data encrypted in accordancewith one or more parameters of session 504 and, at step #14, maycommunicate the packets toward host 142. Rules 212 may be configured tocause one or more of rule gates 120 or 128 to one or more of identifythe packets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-13), and one or more of log or drop the packets.

Host 142 may generate packets comprising data encrypted in accordancewith one or more parameters of session 504 and, at step #15, maycommunicate the packets toward host 106. Rules 212 may be configured tocause one or more of rule gates 120 or 128 to one or more of identifythe packets, determine (e.g., based on one or more network addressesincluded in their network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-14), and one or more of log or drop the packets.

Referring to FIG. 513, steps #16 and #17 substantially correspond tosteps #33 and #34 of FIG. 3C.

Host 106 may generate packets comprising data encrypted in accordancewith one or more parameters of session 504 and, at step #18, maycommunicate the packets toward host 142. Rules 212 (e.g., one or more ofrules 212 reconfigured in step #17) may be configured to cause one ormore of rule gates 120 or 128 to one or more of identify the packets,determine (e.g., based on one or more network addresses included intheir network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-15), and one or more of log or drop the packets.

Host 142 may generate packets comprising data encrypted in accordancewith one or more parameters of session 504 and, at step #19, maycommunicate the packets toward host 106. Rules 212 (e.g., one or more ofrules 212 reconfigured in step #17) may be configured to cause one ormore of rule gates 120 or 128 to one or more of identify the packets,determine (e.g., based on one or more network addresses included intheir network-layer headers) that the packets comprise datacorresponding to the network-threat indicators, for example, bycorrelating the packets with one or more packets previously determinedby packet-filtering system 200 to comprise data corresponding to thenetwork-threat indicators based on data stored in logs 214 (e.g., logdata generated by packet-filtering system 200 in one or more of step #s6-15 and 18), and one or more of log or drop the packets.

Step #s 20-22 substantially correspond to step #s 41-43 of FIG. 3C.

Referring to FIG. 6A, step #s 1-11 substantially correspond to step #s1-11 of FIG. 4A.

Web proxy 118 may generate one or more packets destined for host 142comprising data (e.g., a TCP: SYN handshake message) configured toestablish a connection (e.g., a TCP connection or tunnel) between webproxy 118 and host 142 and, at step #12, may communicate the packets tohost 142. Rules 212 may be configured to cause one or more of rule gates122 or 128 to one or more of identify the packets or determine (e.g.,based on one or more network addresses included in their network-layerheaders) that the packets comprise data corresponding to thenetwork-threat indicators, for example, by correlating the packets withone or more of the packets comprising the DNS query or the reply to theDNS query based on data stored in logs 214 (e.g., the log data generatedby rule gate 126 in one or more of steps #10 or #11).

Responsive to receiving the packets from web proxy 118, host 142 maygenerate packets comprising data configured to establish the connectionbetween web proxy 118 and host 142 (e.g., a TCP: SYN-ACK handshakemessage) and, at step #13, may communicate the packets to web proxy 118.Rules 212 may be configured to cause one or more of rule gates 122 or128 to one or more of identify the packets or determine (e.g., based onone or more network addresses included in their network-layer headers)that the packets comprise data corresponding to the network-threatindicators, for example, by correlating the packets with one or more ofthe packets comprising the DNS query or the reply to the DNS query basedon data stored in logs 214 (e.g., the log data generated by rule gate126 in one or more of steps #10 or #11).

Responsive to receiving the packets from host 142, web proxy 118 maygenerate packets comprising data configured to establish the connectionbetween web proxy 118 and host 142 (e.g., a TCP: ACK handshake message)and, at step #14, may communicate the packets to host 142. Rules 212 maybe configured to cause one or more of rule gates 122 or 128 to one ormore of identify the packets or determine (e.g., based on one or morenetwork addresses included in their network-layer headers) that thepackets comprise data corresponding to the network-threat indicators,for example, by correlating the packets with one or more of the packetscomprising the DNS query or the reply to the DNS query based on datastored in logs 214 (e.g., the log data generated by rule gate 126 in oneor more of steps #10 or #11).

Referring to FIG. 6B, host 142 may receive the packets comprising dataconfigured to establish the connection between web proxy 118 and host142 communicated by web proxy 118 in step #14, and connection 604 (e.g.,a TCP connection) between web proxy 118 and host 142 may be established.

At step #15, hosts 106 and 142 may communicate packets comprising dataconfigured to establish encrypted communication session 606 (e.g., aSSL/TLS session) between hosts 106 and 142 via connections 602 and 604.Rules 212 may be configured to cause one or more of rule gates 120, 122,or 128 to one or more of identify the packets, determine (e.g., based onone or more network addresses included in their network-layer headers)that the packets comprise data corresponding to the network-threatindicators, for example, by correlating the packets with one or morepackets previously determined by packet-filtering system 200 to comprisedata corresponding to the network-threat indicators based on data storedin logs 214 (e.g., log data generated by packet-filtering system 200 inone or more of step #s 6-15) or the packets comprising one or morehandshake messages configured to establish session 606 that compriseunencrypted data (e.g., including the domain name) corresponding to thenetwork-threat indicators, and one or more of log or drop the packets.

Step #s 16-26 substantially correspond to step #s 12-22 of FIGS. 5A-B;however, rules 212 may be configured to cause one or more of rule gates120, 122, or 128 to one or more of identify, drop, or log the packetscommunicated in one or more of step #s 16-19, 22, or 23 of FIG. 6B.

FIG. 7 depicts an illustrative method for rule-based network-threatdetection for encrypted communications in accordance with one or moreaspects of the disclosure. Referring to FIG. 7, in step 702, apacket-filtering system may receive data indicating network-threatindicators. For example, packet-filtering system 200 may receivepacket-filtering rules generated by rule provides 138 based onnetwork-threat indicators provided by threat-intelligence providers 140.In step 704, the packet-filtering system may configure packet-filteringrules in accordance with which it is configured to filter packets. Forexample, packet-filtering system 200 may configure rules 212.

In step 706, the packet-filtering system may identify packets comprisingunencrypted data. For example, packet-filtering system 200 may identifypackets comprising a DNS query, a reply to a DNS query, or a handshakemessage configured to establish an encrypted communication session. Instep 708, the packet-filtering system may identify packets comprisingencrypted data. For example, packet-filtering system 200 may identifypackets encrypted in accordance with one or more parameters of sessions306, 308, 408, 410, 504, or 606.

In step 710, the packet-filtering system may determine based on aportion of the unencrypted data corresponding to the network-threatindicators that the packets comprising encrypted data correspond to thenetwork-threat indicators. For example, packet-filtering system 200 maydetermine that a domain name included in the DNS query, the reply to theDNS query, or the handshake message corresponds to the network-threatindicators, and packet-filtering system 200 may determine that one ormore of the packets encrypted in accordance with the parameters ofsessions 306, 308, 408, 410, 504, or 606 correlate to one or morepackets comprising the DNS query, the reply to the DNS query, or the oneor more handshake messages.

The functions and steps described herein may be embodied incomputer-usable data or computer-executable instructions, such as in oneor more program modules, executed by one or more computers or otherdevices to perform one or more functions described herein. Generally,program modules include routines, programs, objects, components, datastructures, etc. that perform particular tasks or implement particularabstract data types when executed by one or more processors in acomputer or other data-processing device. The computer-executableinstructions may be stored on a computer-readable medium such as a harddisk, optical disk, removable storage media, solid-state memory, RAM,etc. As will be appreciated, the functionality of the program modulesmay be combined or distributed as desired. In addition, thefunctionality may be embodied in whole or in part in firmware orhardware equivalents, such as integrated circuits, application-specificintegrated circuits (ASICs), field-programmable gate arrays (FPGA), andthe like. Particular data structures may be used to more effectivelyimplement one or more aspects of the disclosure, and such datastructures are contemplated to be within the scope ofcomputer-executable instructions and computer-usable data describedherein.

Although not required, one of ordinary skill in the art will appreciatethat various aspects described herein may be embodied as a method,system, apparatus, or one or more computer-readable media storingcomputer-executable instructions. Accordingly, aspects may take the formof an entirely hardware embodiment, an entirely software embodiment, anentirely firmware embodiment, or an embodiment combining software,hardware, and firmware aspects in any combination.

As described herein, the various methods and acts may be operativeacross one or more computing devices and networks. The functionality maybe distributed in any manner or may be located in a single computingdevice (e.g., a server, client computer, or the like).

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one of ordinary skill in the art willappreciate that the steps illustrated in the illustrative figures may beperformed in other than the recited order and that one or moreillustrated steps may be optional. Any and all features in the followingclaims may be combined or rearranged in any way possible.

What is claimed is:
 1. A packet-filtering system comprising: one or moreprocessors; and memory storing instructions that, when executed by theone or more processors, cause the packet-filtering system to: receivedata from a plurality of third-party threat intelligence providerslocated external to a network comprising the packet-filtering system,wherein each third-party network intelligence provider provides dataregarding a plurality of network-threat indicators; analyze firstunencrypted data contained in one or more unencrypted packets, whereinthe first unencrypted data comprises at least a portion of a TransportLayer Security (TLS) handshake, and wherein the at least a portion ofthe TLS handshake comprises one or more of: an Internet Protocol (IP)address, or a domain name; compare the first unencrypted data to theplurality of network-threat indicators; determine, based on thecomparing, that at least a portion of the first unencrypted datacorresponds to at least one of the plurality of network-threatindicators; correlate, based on determining that the first unencrypteddata comprises the at least a portion of the TLS handshake, and based ondetermining that second unencrypted data contained in one or moreencrypted packets comprises the IP address, the one or more encryptedpackets with one or more of the unencrypted packets; and filter, basedon the correlating, the one or more encrypted packets.
 2. Thepacket-filtering system of claim 1, wherein the at least a portion ofthe TLS handshake comprises the domain name, and wherein theinstructions, when executed by the one or more processors, cause thepacket-filtering system to: determine, based on the domain name andusing a Domain Name System (DNS) query, the second IP address.
 3. Thepacket-filtering system of claim 1, wherein the instructions, whenexecuted by the one or more processors, cause the packet-filteringsystem to correlate the at least one of the one or more encryptedpackets with the one or more of the unencrypted packets further based ona time stamp entry associated with the first unencrypted data.
 4. Thepacket-filtering system of claim 1, wherein the instructions, whenexecuted by the one or more processors, cause the packet-filteringsystem to correlate the at least one of the one or more encryptedpackets with the one or more of the unencrypted packets further basedon: a first time stamp associated with the one or more encryptedpackets, and a second time stamp associated with the first unencrypteddata.
 5. The packet-filtering system of claim 1, wherein theinstructions, when executed by the one or more processors, cause thepacket-filtering system to correlate the at least one of the one or moreencrypted packets with the one or more of the unencrypted packetsfurther based on a port number associated with the first unencrypteddata.
 6. The packet-filtering system of claim 1, wherein theinstructions, when executed by the one or more processors, further causethe packet-filtering system to: generate log data indicating: anindication of filtering of the one or more unencrypted packets; and atleast one of the IP address or the domain name; and determine whetherthe second unencrypted data contained in the one or more encryptedpackets comprises the IP address based on the log data.
 7. Thepacket-filtering system of claim 1, wherein the TLS handshake comprisesone or more of: a ClientHello message generated by the client, or acertificate message generated by the server.
 8. The packet-filteringsystem of claim 1, wherein the instructions, when executed by the one ormore processors, cause the packet-filtering system to filter the one ormore encrypted packets by causing the packet-filtering system to preventfurther transmission of the one or more encrypted packets.
 9. Apacket-filtering system comprising: one or more processors; and memorystoring instructions that, when executed by the one or more processors,cause the packet-filtering system to: receive data from a plurality ofthird-party threat intelligence providers located external to a networkcomprising the packet-filtering system, wherein each third-party networkintelligence provider provides data regarding a plurality ofnetwork-threat indicators; analyze first unencrypted data contained inone or more unencrypted packets, wherein the first unencrypted data isassociated with initiation of a Transmission Control Protocol (TCP)connection, and wherein the first unencrypted data comprises an InternetProtocol (IP) address; compare the first unencrypted data to theplurality of network-threat indicators; determine, based on thecomparing, that at least a portion of the first unencrypted datacorresponds to at least one of the plurality of network-threatindicators; correlate, based on determining that the first unencrypteddata is associated with the initiation of the TCP connection, and basedon determining that second unencrypted data contained in one or moreencrypted packets comprises the IP address, the one or more encryptedpackets with one or more of the unencrypted packets; and filter, basedon the correlating, the one or more encrypted packets.
 10. Thepacket-filtering system of claim 9, wherein the at least a portion ofthe first unencrypted data comprises a domain name, and wherein theinstructions, when executed by the one or more processors, cause thepacket-filtering system to: determine, based on the domain name andusing a Domain Name System (DNS), the IP address.
 11. Thepacket-filtering system of claim 9, wherein the instructions, whenexecuted by the one or more processors, cause the packet-filteringsystem to correlate the at least one of the one or more encryptedpackets with the one or more of the unencrypted packets further based ona time stamp entry associated with the first unencrypted data.
 12. Thepacket-filtering system of claim 9, wherein the instructions, whenexecuted by the one or more processors, cause the packet-filteringsystem to correlate the at least one of the one or more encryptedpackets with the one or more of the unencrypted packets further basedon: a first time stamp associated with the one or more encryptedpackets, and a second time stamp associated with the first unencrypteddata.
 13. The packet-filtering system of claim 9, wherein theinstructions, when executed by the one or more processors, cause thepacket-filtering system to correlate the at least one of the one or moreencrypted packets with the one or more of the unencrypted packetsfurther based on a port number associated with the first unencrypteddata.
 14. The packet-filtering system of claim 9, wherein theinstructions, when executed by the one or more processors, further causethe packet-filtering system to: generate log data indicating: anindication of filtering of the one or more unencrypted packets; and theIP address; and determine whether the second unencrypted data containedin the one or more encrypted packets comprises the IP address based onthe log data.
 15. The packet-filtering system of claim 9, wherein thefirst unencrypted data comprises one of: a SYN handshake message, or anACK handshake message.
 16. The packet-filtering system of claim 9,wherein the instructions, when executed by the one or more processors,cause the packet-filtering system to filter the one or more encryptedpackets by causing the packet-filtering system to prevent furthertransmission of the one or more encrypted packets.
 17. A methodcomprising: receiving, by a packet-filtering system, data from aplurality of third-party threat intelligence providers located externalto a network comprising the packet-filtering system, wherein eachthird-party network intelligence provider provides data regarding aplurality of network-threat indicators; analyzing first unencrypted datacontained in one or more unencrypted packets, wherein the firstunencrypted data comprises at least a portion of a Transport LayerSecurity (TLS) handshake, and wherein the at least a portion of the TLShandshake comprises one or more of: an Internet Protocol (IP) address,or a domain name; comparing the first unencrypted data to the pluralityof network-threat indicators; determining, based on the comparing, thatat least a portion of the first unencrypted data corresponds to at leastone of the plurality of network-threat indicators; correlating, based ondetermining that the first unencrypted data comprises the at least aportion of the TLS handshake, and based on determining that secondunencrypted data contained in one or more encrypted packets comprisesthe IP address, the one or more encrypted packets with one or more ofthe unencrypted packets; and filtering, by the packet-filtering systemand based on the correlating, the one or more encrypted packets.
 18. Themethod of claim 17, wherein the at least a portion of the TLS handshakecomprises the domain name, the method further comprising: determining,based on the domain name and using a Domain Name System (DNS) query, theIP address.
 19. The method of claim 17, wherein correlating the at leastone of the one or more encrypted packets with the one or more of theunencrypted packets is further based on a time stamp entry associatedwith the first unencrypted data.
 20. The method of claim 17, whereincorrelating the at least one of the one or more encrypted packets withthe one or more of the unencrypted packets is further based on: a firsttime stamp associated with the one or more encrypted packets, and asecond time stamp associated with the first unencrypted data.
 21. Themethod of claim 17, wherein correlating the at least one of the one ormore encrypted packets with the one or more of the unencrypted packetsis further based on a port number associated with the first unencrypteddata.
 22. The method of claim 17, wherein the TLS handshake comprisesone or more of: a ClientHello message generated by the client, or acertificate message generated by the server.
 23. The method of claim 17,wherein filtering the one or more encrypted packets comprises preventingfurther transmission of the one or more encrypted packets.
 24. A methodcomprising: receiving, by a packet-filtering system, data from aplurality of third-party threat intelligence providers located externalto a network comprising the packet-filtering system, wherein eachthird-party network intelligence provider provides data regarding aplurality of network-threat indicators; analyzing first unencrypted datacontained in one or more unencrypted packets, wherein the firstunencrypted data is associated with initiation of a Transmission ControlProtocol (TCP) connection, and wherein the first unencrypted datacomprises an Internet Protocol (IP) address; comparing the firstunencrypted data to the plurality of network-threat indicators;determining, based on the comparing, that at least a portion of thefirst unencrypted data corresponds to at least one of the plurality ofnetwork-threat indicators; correlating, based on determining that thefirst unencrypted data is associated with the initiation of the TCPconnection, and based on determining that second unencrypted datacontained in one or more encrypted packets comprises the IP address, theone or more encrypted packets with one or more of the unencryptedpackets; and filtering, by the packet-filtering system and based on thecorrelating, the one or more encrypted packets.
 25. The method of claim24, wherein the at least a portion of the first unencrypted datacomprises a domain name, the method further comprising: determining,based on the domain name and using a Domain Name System (DNS), the IPaddress.
 26. The method of claim 24, wherein correlating the at leastone of the one or more encrypted packets with the one or more of theunencrypted packets is further based on a time stamp entry associatedwith the first unencrypted data.
 27. The method of claim 24, whereincorrelating the at least one of the one or more encrypted packets withthe one or more of the unencrypted packets is further based on: a firsttime stamp associated with the one or more encrypted packets, and asecond time stamp associated with the first unencrypted data.
 28. Themethod of claim 24, wherein correlating the at least one of the one ormore encrypted packets with the one or more of the unencrypted packetsis further based on a port number associated with the first unencrypteddata.
 29. The method of claim 24, wherein the first unencrypted datacomprises one of: a SYN handshake message, or an ACK handshake message.30. The method of claim 24, wherein filtering the one or more encryptedpackets comprises preventing further transmission of the one or moreencrypted packets.